Home > Blogs > VMware Security & Compliance Blog

VMSA-2018-0001

New VMware Security Advisory VMSA-2018-0001

On January 2nd 2018 VMware released the following new security advisory:

VMSA-2018-0001 – vSphere Data Protection (VDP) updates address multiple security issues.

This documents several critical severity issues affecting VDP.

Issue (a) is an authenication bypass vulnerability (CVE-2017-15548). A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.

Issue (b) is an arbitrary file upload vulnerability (CVE-2017-15549). A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system.

Issue (c) is a path traversal vulnerability (CVE-2017-15550). A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application.

These issues have been addressed in VDP 6.1.6 and 6.0.7.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0021

Today VMware has released the following new security advisory:

“VMSA-2017-0021 – VMware ESXi, vCenter Server Appliance, Workstation and Fusion updates address multiple security vulnerabilities”

This documents the remediation of four Important severity issues (CVE-2017-4933, CVE-2017-4940, CVE-2017-4941, and CVE-2017-4943). These issues affect VMware ESXi, VMware Workstation, VMware Fusion and VMware vCenter Server Appliance.

Issues (a) CVE-2017-4941 and (b) CVE-2017-4933 are stack overflow and heap overflow vulnerabilities respectively. Successful exploitation of these issues could result in remote code execution in a virtual machine via the authenticated VNC session. These issues affect VMware ESXi, Workstation, and Fusion. In order for exploitation to be possible in ESXi, VNC must be manually enabled in a virtual machine’s .vmx configuration file. In addition, ESXi must be configured to allow VNC traffic through the built-in firewall.

Issue (c) CVE-2017-4940 is a stored cross-site scripting vulnerability and affects the ESXi Host Client. An attacker can exploit this vulnerability by injecting JavaScript, which might get executed when other users access the Host Client. Please refer to VMSA-2017-0021 for ESXi 6.5, 6.0 and 5.5 patches.

Issue (d) CVE-2017-4943 is a privilege escalation vulnerability via the ‘showlog’ plugin in vCenter Server Appliance (vCSA). Successful exploitation of this issue could result in a low privileged user gaining root level privileges over the appliance base OS. This issue affects only vCSA 6.5.

We would like to thank Alain Homewood of Insomnia Security, Lukasz Plonka, Lilith Wyatt and another member of Cisco Talos for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2017-0020

Today VMware has released the following new security advisory:

VMSA-2017-0020: VMware AirWatch Console updates address Broken Access Control vulnerability.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to Airwatch Support.

New VMware Security Advisories VMSA-2017-0018 and VMSA-2017-0019

11/17/2017 – Updated VMSA-2017-0018 to add the DLL hijacking issue.

Today, we released VMSA-2017-0018 and VMSA-2017-0019.

VMSA-2017-0018 – VMware Workstation, Fusion, and Horizon View Client updates resolve multiple security vulnerabilities

This documents critical, important and moderate severity vulnerabilities affecting VMware Horizon View Client for Windows 4.x, Workstation 12.x and Fusion 8.x.

Issue (a) is a heap-based buffer overflow vulnerability (CVE-2017-4934) which affects VMware Workstation and Fusion and may allow a guest to execute code on the host. This issue has been addressed in VMware Workstation 12.5.8 and Fusion 8.5.9.

Issues (b) and (c) are out-of-bounds read/write vulnerabilities (CVE-2017-4935, CVE-2017-4936 and CVE-2017-4937) in JPEG2000 parser in the TPView.dll. These issues exist due the use of vulnerable Cortado ThinPrint component and impact VMware Horizon View Client for Windows and Workstation. Exploitation is possible only if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. These issues have been addressed in VMware Workstation 12.5.8 and Horizon View Client for Windows 4.6.1.

Issue (d) is a NULL pointer dereference vulnerability (CVE-2017-4938) in guest RPC and affects VMware Workstation and Fusion. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. This issue has been addressed in VMware Workstation 12.5.8 and Fusion 8.5.9.

Issue (e) is a DLL hijacking issue (CVE-2017-4939) that exists due to some DLL files loaded by the application improperly. This issue may allow an attacker to load a DLL file of the attacker’s choosing that could execute arbitrary code. VMware Workstation versions 12.x are affected. Workstation 12.5.8 fixes this issue.

We would like to thank Ke Liu of Tencent’s Xuanwu Lab, Skyer, Björn Ruytenberg, Jun Mao of Tencent PC Manager working with Trend Micro’s Zero Day Initiative and Anonymous working with Trend Micro’s Zero Day Initiative for reporting these issues to us.

VMSA-2017-0019 – NSX for vSphere update addresses NSX Edge Cross-Site Scripting (XSS) issue

This documents a moderate severity cross-site scripting issue (CVE-2017-4929) affecting NSX Edge (6.2.x, and 6.3.x). Successful exploitation of this issue may lead to information disclosure. This issue has been addressed in NSX Edge versions 6.2.9 and 6.3.5.

We would like to thank Jarad Kopf of Deltek and Issam Rabhi for independently reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0017

Today VMware has released the following new security advisory:

VMSA-2017-0017 – VMware vCenter Server update resolves LDAP DoS, SSRF and CLRF injection issues

This documents the remediation of two moderate severity issues, CVE-2017-4927 and CVE-2017-4928. These issues affect VMware vCenter Server.

Issue (a) CVE-2017-4927: VMware vCenter Server doesn’t correctly handle specially crafted LDAP network packets which may allow for remote DoS. This issue affects vCenter Server 6.5 and 6.0. vCenter Server 6.5 U1 and 6.0 U3c fix this issue.

Issue (b) CVE-2017-4928: SSRF and CRLF injection issues in vSphere web client. This issue affects vCenter Server 6.0 and 5.5. vCenter Server 6.0 U3c and 5.5 U3f fix this issue.

We would like to thank Honggang Ren of Fortinet’s FortiGuard Labs and ricterzheng @ Tencent Yunding Lab for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2017-0016

Today VMware has released the following new security advisory:

VMSA-2017-0016: VMware AirWatch Console and Launcher for Android updates resolve multiple vulnerabilities.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Security Patches for VMware vCenter Server Appliance Photon OS

Our customers have indicated that they would like to see VMware more frequently update the Photon OS operating system that powers the vCenter Server Appliance (VCSA). To follow up on this request, we have now started a program that will provide monthly patches for the VCSA operating system.

The program will address important security issues that are present in the VCSA Photon OS operating system on a monthly basis. In some months (e.g. this month) the update will be through stand-alone patches while in other months they may be rolled into regular VCSA maintenance releases.

The release notes for the first monthly patch are found here, and today’s post on the VMware vSphere blog gives more details about the program.

Please send your feedback and questions to security (at) vmware (dot) com.

October 27 Update
Last night we released the second monthly patch for the VCSA PhotonOS operating system (6.5 U1b). This time the patch also contains a couple of fixes for functional issues, see the reference in the bottom table of the rolling release notes for this program.

New VMware Security Advisory VMSA-2017-0015.1

Update: 2017-09-15 Corrected the underlying component affected from SVGA driver to device.

Today VMware has released the following new security advisory:

“VMSA-2017-0015.1 – VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities”

This documents the remediation of a critical severity issue (CVE-2017-4924) and two moderate severity issues (CVE-2017-4925 and CVE-2017-4926). These issues affect VMware ESXi, VMware Workstation, VMware Fusion and VMware vCenter Server.

Issue (a) CVE-2017-4924 is an out-of-bounds write vulnerability in SVGA device which may allow a guest to execute code on the host. This issue affects ESXi 6.5, Fusion and Workstation. It has been addressed through an ESXi 6.5 patch, and in Fusion 8.5.8 and Workstation 12.5.7. ESXi 6.0 and 5.x are not affected.

Issue (b) CVE-2017-4925 is a NULL pointer dereference vulnerability that occurs when handling guest RPC requests. This may allow attackers with normal user privileges to crash their VMs. ESXi, Fusion and Workstation are affected. Fusion 8.5.4 and Workstation 12.5.3 fix this issue. Please refer to VMSA-2017-0015 for ESXi 6.5, 6.0 and 5.5 patches.

Issue (c) CVE-2017-4926 is a stored XSS in H5 Client and affects only VMware vCenter Server 6.5. An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. vCenter Server 6.5 U1 fixes this issue.

We would like to thank Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG (haftungsbeschraenkt) working with ZDI, Zhang Haitao, and Thomas Ornetzeder for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Security Response Center @ VMworld 2017

For those visiting VMworld, come and meet VMware Trust and Assurance (which includes VMware Security Response Center) in Las Vegas next week or in Barcelona in three weeks from now. Bring your questions and concerns on security issues in our products and services, and how we address these. We would also like to have feedback on the VMware Security Advisories and our patch policies.

How to find us? We are accepting 1:1 meetings at VMworld. If you would like to schedule a meeting please contact your Technical Account Manager with a general idea of what you would like to speak with us about and we will schedule time with you. Alternatively just come and meet us; we are stationed in the Listening Post located in the VM Village. This is the lounge area with seats and games ~~on the top floor~~.

We share the Listening Post with other teams and they would be delighted with your visit as well! They are Support, Customer advocacy, and the Information Experience, Quality Assurance, and Product Globalization teams of the VMware R&D Central Organization.

Update August 28
We are ready to roll tomorrow when VMworld opens! Come by the Listening Post in the VM Village and talk to us about your challenges and suggestions regarding the security of our products. Our co-workers will be there to discuss quality, support, documentation, and globalization.

New VMware Security Advisory VMSA-2017-0014

Today, VMware has released the following new security advisory:

VMSA-2017-0014 – VMware NSX-V Edge updates address OSPF Protocol LSA DoS

The advisory documents a hard to exploit denial of service vulnerability in the implementation of the OSPF protocol in NSX-V Edge (CVE-2017-4920). This issue is present due to incorrect handling of link-state advertisements (LSA). NSX-V Edge 6.2.8 and NSX-V Edge 6.3.3 address the issue.

We would like to thank Adi Sosnovich, Orna Grumberg and Gabi Nakibly for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.